IT Unlike Any Other

Two more articles on Global Payments breach

“What’s the takeaway on PCI?” Litan asked on Monday in a blog post. “The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.”

The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It’s a doubly-bad violation of DSS to 1) Not be compliant in the first place, and 2) to suffer a loss of cardholder data.

I imagine the reinstatement audit, if there is one, will be quite extensive.